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METHOD AND APPARATUS FOR GENERATING A CRYPTOGRAPHIC 
KEY 

5 

The present invention relates to a method and apparatus for generating a 
cryptographic key. 

With the ever-increasing spread of electronic communication and electronic 
10 identification there has been a corresponding increase in demand for 
cryptographic processes, where users require cryptographic processes to 
enable encryption of data for security purposes and/or for the purposes of 
providing identification. 

15 Typically encryption keys are certified by trusted authorises and disseminated 
using digital certificates where, to allow wide spread availability of 
cryptographic processes, a hierarchy of trust authorities exist. Within a 
hierarchy of trust authorities a root trust authority issues a digital certificate to 
a private/public key to a second level trust authority by using the root 

20 authorities private key to sign the second levers trust authorities public key 
and thereby providing confirmation that the second level private key is 
authorized by the root authority. Correspondingly the second level trust 
authority issues a digital certificate to a different private/public key to a third 
level trust authority that is signed with the second level's private key and so 

25 forth. However, for a user to determine that the public key associated with the 
third level trust authority is derived with the authority of the root trust authority 
it is necessary for the user to trace the digital certificates that incorporated the 
various public keys. 

30 It is desirable to improve this situation. 
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In accordance with a first aspect of the present invention there is provided a 
method for generating a private key comprising generating a first and second 
cryptographic key for a first party; generating a third and fourth cryptographic 
key for a second party wherein the fourth cryptographic key is derived from 

5 the first and third cryptographic key; generating a number that in association 
with the second cryptographic key, the third cryptographic key and the fourth 
cryptographic key define a first cryptographic parameter, a second 
cryptographic parameter and a third cryptographic parameter respectively; 
combining the number with a third party's public key to define an associated 

10 private key. 

In accordance with a second aspect of the present invention there is provided 
a method for generating a cryptographic key comprising generating a first 
cryptographic key and a second cryptographic key for a first party; generating 

15 a third cryptographic key and fourth cryptographic key for a second party 

wherein the fourth cryptographic key is derived from the first cryptographic key 
and third cryptographic key; generating a number that in association with the 
second cryptographic key, the third cryptographic key and the fourth 
cryptographic key define a first, second and third cryptographic parameter 

20 respectively; combining the number with a fifth cryptographic key associated 
with a third party to define an associated cryptographic key such that an 
association can be established between the fifth cryptographic key of the third 
party and the second cryptographic key of the first party. 

25 This provides the advantage of allowing a trust authority in one level of a trust 
hierarchy, given a master private key generated by a trust authority in a higher 
level of the hierarchy, to generate a private/public key pair without further 
interaction from the trust authority in the higher level of the hierarchy. This 
also provides the advantage of allowing a trust hierarchy to be established 

30 without requiring the use of digital certificates. Further the public key 
corresponding to the private key generated by the trust authority can be 
universally verified where a verifier can be certain that the private key must 
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have been generated with knowledge of the higher level trust authorities 
private key and without requiring disclosure of the higher level trust authorities 
private key. 

5 In accordance with a third aspect of the present invention there is provided a 
method for generating a private key comprising generating a first private key 
and public key for a first party; generating a second private and public key for 
a second party wherein the second private key is derived from the first private 
key and second public key; generate a number that in association with the 
10 first pubic key, the second private and public key define a first, second and 
third public parameter respectively; combining the number with a third pubic 
key associated with a third party to define an associated private key such that 
an association can be established between the third public key of the third 
party and the first public key of the first party. 

15 

Preferably the number is a random number. 

Preferably the association between the third public key and first public key is 
established using a bilinear map, such as a Tate or Weil pairing. 

20 

Preferably the first party is a first trusted party and the second party is a 
second trusted party. 

In accordance with a fourth aspect of the present invention there is provided a 
25 method for generating a private key comprising generating a first private key 
and public key for a first party; generating a second private and public key for 
a second party wherein the second private key is derived from the first private 
key and second public key; generate a third private key for the second party 
that in association with the first public key, the second private key and the 
30 second public key define a first cryptographic parameter, a second 

cryptographic parameter and a third public key respectively; combining the 
third private key with a third party's public key to define an associated private 
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key such that an association can be established between the third public key 
of the second party and the first public key of the first party. 

In accordance with a fifth aspect of the present invention there is provided a 
5 computer apparatus for generating a private key comprising a processor 
arranged to generate a number that in association with a first private key and 
public key associated with a first party define a first and second public 
parameter respectively wherein the first private key is derived from a second 
private key associated with a second party and the first public key; and 
1 0 combining the number with a second public key associated with a third party 
to define an associated private key such that an association can be 
established between the second public key of the third party and a third public 
key of the second party. 

1 5 Preferably the association between the second public key and the third public 
key is established using a bilinear map, such as a Tate or Weil pairing. 

Preferably the first party is a first trusted party and the second party is a 
second trusted party. 

20 

For a better understanding of the present invention and to understand how 
the same may be brought into effect reference will now be made, by way of 
example only, to the accompanying drawings, in which:- 

25 Figure 1 illustrates a computer system according to an embodiment of the 
present invention; 

Figure 2 illustrates a computer system according to an embodiment of the 
present invention. 
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Figure 1 shows a first computer entity 10, a second computer entity 20, a third 
computer entity 30 and a fourth computer entity 40 connected via a network 
50, for example the Internet. 

5 The first computer entity 10 represents a first trust authority 60, for example a 
company, the second computer entity 20 represents a second trust authority 
70, for example a division within the company and the third computer entity 30 
represents a user 80, for example a worker within the company. The fourth 
computer entity 40 represents, for example, a business partner 90 of the 
10 company that wishes to interact with the user 80. 

The first, second, third and fourth computer entities 10, 20, 30, 40 are 
conventional computing devices as is well known to a person skilled in the art. 

15 The first computer entity 10 and second computer entity 20 form a trust 
authority hierarchy in which the first computer entity 10 acts as a root trust 
authority and the second computer entity 20 acts as a middle level trust 
authority, thereby forming a public-key infrastructure. As described in detail 
below, on receipt by the second computer entity 20 of a master private key 

20 generated by the first computer entity 10 the second computer entity 20 is 
able, using identifier-based cryptography, to generate a private/public key pair 
without further interaction from the first computer entity 10, where the public 
key can be verified, without the need for digital certificates, such that the 
verifier can be convinced that the public key could only be generated with 

25 knowledge of the master private key generated by the first computer entity 1 0. 

The following embodiment utilises identifier-based cryptography using Tate 
pairing to provide multiple levels of trust authorities, however other types of 
pairing may also be used, for example Weil pairings. 

30 
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For the purposes of this embodiment G1 and G2 denote two groups of prime 
order q in which the discrete logarithm problem is believed to be hard and for 
which there exists a computable bilinear map, for example, a Tate pairing. 

5 i.e. t :G< i xG< i > G 2 

Gi is a group of points on an elliptic curve and G 2 is a subgroup of a 
multiplicative group of a finite field. 

10 As the mapping between Gi and G 2 is bilinear exponents/multipliers can be 
moved around. For example if a, b, c e F g and P, Q e Gi then 

f(aP, bQ) c = t(aP, cQ) b = t(bP, cQ) a = f(bP, aQf = t(cP, aQ) b = f(cP, bQf 
= (abP, Q) c = t{abP, cQ) = t{P, abQf = t{cP, abQ) 

15 

= t{abcP, Q) = t(P, abcQ) = t(P, Qf bc 

Additionally, for the purposes of this embodiment the following cryptographic 
hash functions are defined: 

20 

Hi : {0,1}* >Gi 

H 2 : {0 ,1}* > ¥ q 

H Z :G 2 >{0,1}* 

25 To provide a trust hierarchy a public/private key pair is defined for a trust 
authority where the public key R is: R e G1 and the private key s is: se F, 
with R=sP where P, a public parameter, is: P e G<\. 

Additionally, an identifier based public key Q iD / private key S tD pair is defined 
30 where the Q| D , S iD e Gi where the trust authority's public/private key pair 
(Pta.s) is linked with the identifier based public/private key by 



\ - 
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Sid = sQ| D and Q JD = Hi (ID) 
where ID is an identifier string. 

5 

Accordingly, to allow a holder of the private part s of the trust authority's 
public/private key pair to sign a bit string, where m denotes the message to be 
signed it is necessary to compute V = sH^m). Verification requires that the 
following equation is satisfied: 

10 

f(P, V) = f(f?, Hi(m)) 

This is based upon the mapping between Gi and G 2 being bilinear 
exponents/multipliers, as described above. That is to say, 

15 

t(P,V) = t(P, sHi (m)) 
= f(P, H, (m)) s 
= f(sP, H A (m)) 
= f(R, H, (m)) 

20 

In particular identifier based encryption allows the holder of the private key S\ 0 
of an identifier based key pair to decrypt a message sent to them encrypted 
using the associated public key Qid . 

25 The message to be encrypted is denoted by m. 

First compute U = rP where r is a random element of F Q . 

Then compute V= m © Ay 3 (^(R, rO ID )) 

30 

This results in the generation of the ciphertext U and V. 
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Decryption of the message is performed by computing: 

V© H3 (t(U, Sid )) = V © H 3 (t(rP, sQid)) 
5 = V © H 3 (f(P, Q.Df) 

= V © H 3 (f(sP, rQio)) 
= V/ © H 3 (f(P, rQio)) 
= m 

Correspondingly identifier based signatures using Tate pairing can be 
10 implemented. For example: 

First compute r = t(P, Pf 

where k is a random element of ¥ q . ■ 

Then apply the hash function H 2 to m\\r (concatenation of m and r) to obtain h 
15 =H 2 (m\\r). 

Then compute 

U = /jSid + kP. 

Thus generating the output U and h as the signature on the message m. 

20 

Verification of the signature can be established by computing: 
r=t(U,P)-t(Q {D , R) h 
25 where the signature can only be accepted if h = H 2 (m\\r). 

Based upon the identifier-based cryptography described above the root trust 
authority (i.e. the first trust authority 60) can be linked to a pseudo master 
private key generated by the middle level trust authority (i.e. the second trust 
30 authority 70) such that the link can be verified without the need for any digital 
certificates, as will now be described. 
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Based upon the above nomenclature table 1 lists the standard and ID based 
public/private key pairs that are set up for the first trust authority 60 and the 
second trust authority 70 where P, a pubic parameter, is an arbitrary point on 
5 an elliptic curve. 



Entity 


Standard 
Private Key 


Standard 
Public key 


ID Based 
Private Key 


ID Based Pubic 
key 


First TA 










Second TA 


s 2 


Rta2=s 2 P 


STA2 = SlQrA2 


Ota2= Hi(TA2) 



Table 1 



10 The second trust authority 70 creates a pseudo-master private key selecting a 
random number r where r e F Q ; the random number r is the pseudo-master 
private key. Once the pseudo-master key has been selected the second trust 
authority 70 generates the following public keys: 

1 5 rsiQjA2 , rP and rOrA2 

It should be noted however, that even though in the above example the 
second trust authority 70 has created a single pseudo-master private key the 
second trust authority 70 could generate any number of pseudo-master 
20 private keys. 

The user 80 registers with the second trust authority 70 to obtain an 
associated private key for the user's public key, where the user's public key 
could be any form of identifier, for example the user's name 'Bob', where the 
25 public key Hi(Bob) = Q BO b would map to a point on an elliptic curve defined by 
Gi. 
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On registration, the second trust authority 70 provides the user 80 with the 
appropriate private key, which would be a combination of the user's public key 
and the second trust authority's -pseudo private key i.e. rOsob. 

5 Consequently, utilizing the Tate pairing algorithms described above it is 
possible to verify the 'meaning' of rsOrA2, riP and aQta2 using: 

t(rP, Ota2)= t(P, aOta2) and 
t(P, rsQra) = t(sP, rOrA2) 

10 

Further (P,sP), in the above ID-based encryption and ID-based signature 
algorithms, can be replaced with either (P, rP) or (Ota2, /"Qta2), as well as 
replace f(Q !D , sP) = t(sQ l0 ,P) with t{Q Bo b,rP) = f(rQ B ob, P) or f(Q Bo b, rQra) = 
t(rQ BO b, Ota2). 

15 

Figure 2 illustrates the same computer network as that shown in figure 1 with 
the addition of a fifth computer entity 100. The fifth computer entity 100 acts 
as another middle level trust authority (i.e. a third trust authority 200) 
independent of the second computer entity 20 where the first computer entity 

20 10 is the root trust authority for both the second computer entity 20 and the 
fifth computer entity 100. As with the second computer entity 20 on receipt by 
the fifth computer entity 100 of a master private key generated by the first 
computer entity 10 the fifth computer entity 100 is able to generate a 
private/public key pair as described above. The network 50 could include 

25 additional middle level trust authorities, however, for the purposes of this 
embodiment only two middle level trust authorities will be described. 

As described below, the user 80 has an independent identity associated with 
each middle level trust authority 70, 200, where each independent identity 
30 corresponds to a public key of the user 80. Each middle level trust authority 
70, 200 provides a private key corresponding to the respective user's public 
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key, as described above. To send an encrypted message to the user 80 the 
business partner 90 encrypts the message with a combination of the user's 
public keys associated with the respective middle level trust authorities 70, 
200 (i.e. the user's identities associated with the respective trust authorities) 
5 and the respective trust authority's public key. To recover the encrypted 
message the user 80 decrypts the message with a combination of the same 
trust authority's public keys and the user's corresponding private key. 

To sign a message a user 80 uses each trust authority's public key in 
10 combination with the user's associated private keys. To verify the signature a 
verifier uses a combination of the trust authority's public key with the user's 
corresponding public keys. 

The following embodiment utilises identifier-based cryptography using Tate 
15 pairings to allow the generation of a public key that is a combination of 
independent identities associated with respective middle level trust authorities 
70, 200. 

The second trust authority 70 has a public key Rtai and a corresponding 
20 private key Si where P T m = ^P, with P being a point on an elliptic curve, as 
described above. 

The third trust authority 200 has a public key R T A2 and a corresponding private 
key s 2 where R T a2 = s 2 P, with P being a point on an elliptic curve, as 
25 described above. 

For n trust authorities the public/private key pair could be generalised by: 
Rta/ = SiP 



30 
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Associated with each middle level trust authority 70, 200 the user 80 has a 
independent identity, that is to say with the second trust authority 70 the user 
80 has an identity ID1, for example the user's name 'Bob', with third trust 
authority 200 the user 80 had another identity ID2, for example the name of 
5 the company the user 80 works for. 

Accordingly, the user 80 has independent identity based private keys and 
public keys with each middle level trust authority 70, 200, where the user's 
identity based public key with the second trust authority 70 is Qidi = Hi(ID1) 
10 and the user's identity based private key with the second trust authority 70 is 
Su where Si = SiQidi and the user's identity based public key with the third 
trust authority 200 is Q] D 2 = Hi(ID2) and the user's identity based private key 
with the third trust authority 200 is S 2 , where S 2 = s 2 Q\D2- 

15 To allow the business partner 90 to encrypt a message m for the user 80 
based upon the independent identities associated with each middle level trust 
authority 70, 200 the business partner 90 generates ciphertext V and U, 
where: 

20 V=m®H z ^t(R TAi ,rQ n ^ 
and 

25 where r is a random number selected by the business partner 90. 
Decryption is performed by computing: 

m = V®H z [t(u£s i )j 

30 
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Accordingly, message m can only be decrypted with knowledge of both 
private keys Si, S2. 

The following embodiments utilises identifier-based cryptography using Weil 
5 pairings to allow the generation of a public key that is a combination of 
independent identities associated with respective middle level trust authorities 
70, 200. In a more general case, the trusted authorities can be totally 
independent to each other and there is no needs for any business relationship 
to exist between the trust authorities, in fact the trust authorities do not need 
10 to know each other. For example the trust authorities may not belong to the 
same root trusted authority. Indeed, one or more of the trust authorities could 
be a root authority. 

The first embodiment utilizing Weil pairings allows the business partner 90 to 
15 encrypt a message m e {0,1}" for the user 80, which the user can decrypt if 
the user 80 has a number of private keys d\ D \ (/ = 1, .... n), each respectively 
issued by a trust authority TAj (/= 1, n) corresponding to a public key Qo (/ 
= 1 n). 

20 Each trust authority chooses a large (at least 51 2-bits) prime p such that p = 2 
mod 3 and p = 6g -1 for some prime q > 3. Further, E, an elliptic curve, is 
defined by y 2 = x 3 + 1 over F p . 

An arbitrary point on the elliptic curve is chosen, where P e E/F p of order q. 

25 

Four hash functions are defined: 
Hv.{0,l}*-+F p ; 
H 2 : F p j -> {0,1}" for some n; 
H 3 : {0.1}" x {0.1}" 
30 and H 4 : {0,1}" ->{0,1} n . 



300202699 

14 

Each trust authority TAj (/ = 1, .... n) respectively selects a random s,- e Z q 
and set P pubi = [s/]P. 

The user 80 registers with each respective trust authority, providing each trust 
5 authority with an appropriate independent identifier, IDi (/= 1, n) e {0,1}*. 

Each trust authority then computes an appropriate MapToPoint (Hi(IDj)) = Q\o\ 
e E/Fp of order q and set the user's corresponding private key d\o\ to be d\ D \ = 

[S/lQlDi. 

10 

To encrypt a message, m, the business partner 90: 

Computes a MapToPoint (Hi(IDj)) = Q\ 0 \ (/ = 1 , . . n) g E/F p of order q. 
Selects a random number <y s {0,1}". 
15 Computes r = H 3 {cr, m), where r is a random element that ensures only 
someone with the appropriate private key can decrypt the message, m. 
Computes U = [r]P. 

Computes g lD = n (i </<„> e(Q IDi , P^) g F p 2 . 
Computes V- cr®H2(gi D r )- 
20 Computes W = m ©H 4 (a). 

Sets the ciphertext to be C = (U, V, W). 

To decrypt the message, m, the user 80: 

25 Tests U € E/F p of order q\ 

Computes x = e(Z ( i ^/^ n) d JDj , L/); 

Computes cr= \/©H2(x); 

Computes m = W® H 4 (cr); 

Computes r = H 3 (cr, m); 
30 Checks U = MP. 
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The second embodiment utilizing Weil pairings allows a user 80 to sign a 
message, m. 

The user signs a message m e {0,1 } n under a number of private keys d\o\ (/ = 
5 1, n), each respectively issued by a respective trust authority, i.e. TA-, (/ = 
1, n) corresponding to a public key Q ID j (/ = 1, n). The business partner 
90 verifies the signature by using both the user's public keys corresponding to 
the signing private keys and the TAj's public keys. 

10 As above, each trust authority choose a large (at least 512-bits) prime p such 
that p = 2 mod 3 and p = 6g -1 for some prime q > 3 with £ being defined by 
y 2 = x 3 + 1 over F p . 

An arbitary point on the elliptic curve is chosen where P e E/F p of order q. 

15 

Two hash functions are chosen: 

Hi:{0,1}*->F P ; 

andH 2 : {0,1} n x{0,1}%zV 

20 Each trust authority TAj (/ = 1, n) respectively selects a random s,- e Z q 
and set P pU bi = [S/]P. 

The user 80 registers with each respective trust authority providing each trust 
authority with an appropriate independent identity i.e. IDj (/ = 1, n) e {0,1}*. 

25 

Each trust authority then computes an appropriate MapToPoint (Hi(IDj)) = Q\ D \ 
e E/Fp of order q and sets the user's private key d\ D \ to be d| D i = NQidi. 

To sign a message, m, the user 80: 

30 

Selects a random z e {0,1} n ; 
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Computes U = [z]P; 

Computes h = H^m, U); 

Computes V = [h] s / s „) do + [z] £(i < << n > P P ut>; 

Ships to the business partner m, U and V. 

5 

To verify the signature (m, U, V) the business partner 90: 

Computes MapToPoint (Hi(IDi)) = Qidi e £/F p of order q; 
Computes h = H 2 (m, U); 
1 0 Computes x = e(P, V); 

Computes y = n (1 2/ -^„) e(P pubi , [h]Q\ 0 \ + t/); 
Checks x == y. 

The third embodiment utilizing Weil pairing provides a further embodiment 
1 5 that allows a user 80 to sign a message. 

The user 80 signs a message m e {0,1}" under a number of private keys d| D i (/ 

= 1 n), each respectively issued by a respective trust authority i.e. TAj (/ = 

1 n) corresponding to a public key Q iD , (/' = 1, n). The business partner 

20 90 verifies the signature by using both the user's public keys corresponding to 
the signing private keys and the TAj's public keys. 

As above, each trust authority choose a large (at least 512-bits) prime p such 
that p = 2 mod 3 and p = 6q -1 for some prime q > 3 with E being defined by 
y 2 = x 3 + 1 over F p . 

25 

An arbitrary point P on the elliptic curve is chosen, where P e £/F p of order q. 

Two hash functions are chosen: 
Hv. {0,1}* -> F p ; 
30 and H 2 : {0,1} n x {0,1}" -> 
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Each trust authority TAj (/ = 1 n) respectively selects a random s,- e Z\ 

and set P pubi = [sj\P. 

The user 80 registers with each respective trust authority providing each trust 
5 authority with an appropriate independent identity i.e. IDs (/= 1 , .... n) e {0,1}*. 

Each trust authority computes an appropriate MapToPoint (Hi(IDj)) = Qo e 
E/Fp of order q and sets the private key do to be do = [S/]Qidi- 

1 0 To sign a message, m, the user 80: 

Selects a random k e {0,1}"; 
Computes e = e(2(i ^ ,^ n) do, P); 
Computes r = e k ; 
1 5 Computes h = H 2 (m, r); 

Computes S = ([k] - [h]) 2 ( i s/ ^ n) d| D ; 
Ships to the business partner m, h and S. 

Verify the signature (m, h, S) the business partner 90: 

20 

Computes MapToPoint (H^IDj)) = Qo e E/F p of order q; 
Computes e' = n ( i <,-*„) e(Q| D i, P P ub/) - may be precomputed; 
Computes f = e(S, P)e ,h ; 
Checks A? == H 2 (m, 

25 
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Method for generating a private key comprising generating a first 
and second cryptographic key for a first party; generating a third 
and fourth cryptographic key for a second party wherein the fourth 
cryptographic key is derived from the first and third cryptographic 
key; generating a number that in association with the second 
cryptographic key, the third cryptographic key and the fourth 
cryptographic key define a first cryptographic parameter, a second 
cryptographic parameter and a third cryptographic parameter 
respectively; combining the number with a third party's public key to 
define an associated private key. 

Method for generating a cryptographic key comprising generating a 
first cryptographic key and a second cryptographic key for a first 
party; generating a third cryptographic key and fourth cryptographic 
key for a second party wherein the fourth cryptographic key is 
derived from the first cryptographic key and third cryptographic key; 
generating a number that in association with the second 
cryptographic key, the third cryptographic key and the fourth 
cryptographic key define a first, second and third cryptographic 
parameter respectively; combining the number with a fifth 
cryptographic key associated with a third party to define an 
associated cryptographic key such that an association can be 
established between the fifth cryptographic key of the third party 
and the second cryptographic key of the first party. 

Method for generating a private key comprising generating a first 
private key and public key for a first party; generating a second 
private and public key for a second party wherein the second 
private key is derived from the first private key and second public 
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key; generate a number that in association with the first pubic key, 
the second private and public key define a first, second and third 
public parameter respectively; combining the number with a third 
pubic key associated with a third party to define an associated 
private key such that an association can be established between 
the third public key of the third party and the first public key of the 
first party. 

Method according to claim 3, wherein the number is a random 
number. 

Method according to claim 3 or 4, wherein the association between 
the third public key and first public key is established using a 
bilinear map. 

Method according to claim 5, wherein the bilinear map is either a 
Tate or Weil pairing. 

Method according to any of claims 3 to 6, wherein the first party is a 
first trusted party and the second party is a second trusted party. 

Method for generating a private key comprising generating a first 
private key and public key for a first party; generating a second 
private and public key for a second party wherein the second 
private key is derived from the first private key and second public 
key; generate a third private key for the second party that in 
association with the first public key, the second private key and the 
second public key define a first cryptographic parameter, a second 
cryptographic parameter and a third public key respectively; 
combining the third private key with a third party's public key to 
define an associated private key such that an association can be 
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established between the third public key of the second party and 
the first public key of the first party. 

Computer apparatus for generating a private key comprising a 
processor arranged to generate a number that in association with a 
first private key and public key associated with a first party define a 
first and second public parameter respectively wherein the first 
private key is derived from a second private key associated with a 
second party and the first public key; and combining the number 
with a second public key associated with a third party to define an 
associated private key such that an association can be established 
between the second public key of the third party and a third public 
key of the second party. 

Computer apparatus according to claim 8, wherein the number is a 
random number. 

Computer apparatus according to claim 8 or 9, wherein the 
association between the second public key and the third public key 
is established using a Tate or Weil pairing. 

Computer apparatus according to any of claims, wherein the first 
party is a first trusted party and the second party is a second trusted 
party. 
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ABSTRACT 

METHOD AND APPARATUS FOR GENERATING A CRYPTOGRAPHIC 
5 KEY 

Method for generating a cryptographic key comprising generating a first 
cryptographic key and a second cryptographic key for a first party; generating 
a third cryptographic key and fourth cryptographic key for a second party 

10 wherein the fourth cryptographic key is derived from the first cryptographic key 
and third cryptographic key; generating a number that in association with the 
second cryptographic key, the third cryptographic key and the fourth 
cryptographic key define a first, second and third cryptographic parameter 
respectively; combining the number with a fifth cryptographic key associated 

15 with a third party to define an associated cryptographic key such that an 

association can be established between the fifth cryptographic key of the third 
party and the second cryptographic key of the first party. 

20 



Figure 1 
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